Tagged as

Stats

Secure your Saas applications with Visual Guard

Are you creating a security system for a SaaS application? Visual Guard is here to help! This article will list the important questions to ask during your project and the answers that Visual Guard provides to avoid security breaches or functional limitations that will hold you back.

Editorial Note

This article is in the Product Showcase section for our sponsors at CodeProject. These articles are intended to provide you with information on products and services that we consider useful and of value to developers.

Abstract

Are you creating a security system for a SaaS application? Visual Guard is here to help! This article will list the important questions to ask during your project and the answers that Visual Guard provides to avoid security breaches or functional limitations that will hold you back.

Introduction

The security of a SaaS application should combine both strength and flexibility:

System strength will guarantee application security by:

Controlling user access within the limits of their subscription

Assuring data confidentiality between the users sharing the application

Eliminating security breaches at protecting you from exterior attacks

System flexibility will contribute to the development of your business by:

Facilitating the evolution of your business model and the creation of your offer

Responding to client needs related to user management (see below)

Supporting scalability: optimizing performance and simplifying administration of large numbers of users and secured components

This article presents Visual Guard's technical and functional specifications, which allow you to attain both goals. You will be able to design the security of your SaaS application, covering your short terms needs, while at the same time anticipating the future evolutions of your business and the additional needs that go along with them.

Delegate administration rights to your clients?

Initially, you may be managing users and access rights yourself.

As the volume of users increases, you – and your clients – may wish to delegate certain administration rights so that your clients are managing their users and accounts themselves.

Visual Guard proposes:

An administration interface accessible to non-technical users, allowing you to delegate user administration to local business managers

This administration interface includes all commonly required access control functions and offers access via the Internet (account management, assignment of groups and access rights, visibility and control of security data…)

If you develop a multi-tenant Saas application (a single instance of the application used by multiple clients), you should restrain client administration rights to their own user accounts: you don't want them to be able to modify another client's accounts!

Single Sign-On: Simplify the Lives of your Users

If your product catalogue is composed of a suite of applications, Visual Guard allows you to provide Single Sign-On features (SSO) to simplify your user's experience:

They can access multiple applications, passing freely from one to another

If the applications make calls to Secured Web Services, the users will also be authenticated for each web service used

Each user will log in to the first site and will then be able to access other sites without having to re-enter their credentials (Single Sign-On)

The Visual Guard SSO system includes the following functionalities:

1 – User Session Management

When the user passes from one site to another, the Web SSO system:

Identifies the user

Recreates their session for each site visited

Loads and applies the security data (attributes, roles, permissions…)

Note: The Visual Guard Web SSO includes mechanisms to manage security tokens (to create, transfer and secure the tokens). These mechanisms are optimized to avoid performance issues (for example, it doesn't “simply” authenticate a user and then reload their security for each page visited: the response times would become too long when the number of visits increases).

What if your users could reuse existing accounts?

The majority of SaaS applications require that you create a new account for each.
The problem is that users already have multiple accounts, which generate significant support costs for companies (see The Real Cost of Passwords).

Certain clients may wish to reuse their existing user accounts (for example, their Windows accounts). Visual Guard allows you to give access rights to your applications to accounts managed by other organizations. Thus, you can federate user accounts from several clients or or partners and define their access rights to your system.

To read more on federating user accounts and managing their access rights:

Be Ready for Changes to your Business Model

The administration interface must be conceived to manage large numbers of users and access rights
(to guide the administrator performing operations and searches, optimize the response time of the security
repository…).

When the application is put in to production, the user authentication process and the calculation of their access
rights must be optimized to avoid long wait times. For example, a system that needs to access the security repository
each time a user opens a new page has a greater chance of performance issues when the number of users and page views
increases.

Case 1: Default SaaS model.
The application is hosted by the vendor with Visual Guard integrated. Users access it via the Internet.

Customers pay to use your application on a time-limited, recurring basis.

Business model: pay-per-useSoftware delivery model: SaaS

Case 2: For security or technical reasons, customers may request that you install the application in their environment. Users access it via LAN or Internet.

The vendor still manages Access Control with Visual Guard: customers pay to use the application on a time-limited, recurring basis.

Separate Security from Business Logic

The majority of projects write application code to define how to apply user permissions. For example, according to the role of the user, this code will deactivate a menu, hide a control, filter a list of data…

As a result, if we want to change the application security (adding new restrictions, for example), we need to perform a full development cycle (design, coding, test, deployment).

Visual Guard has developed an innovative technology to eliminate these inconveniences and completely separate security from business logic:

Visual Guard defines permissions and stores them in its security database.

When the application is in production, Visual Guard loads the user's permissions from the security database and dynamically applies them. Thus, there is no security code in the application.

This solution has the following benefits:

Agility: you can update security rules in minutes, even when the application is in production.

Maintenance costs: no changes in the code when security is updated. You avoid a complete development cycle and the code is easier to maintain.

Pay-per-use Billing and Payment

If your business model is based on a pay-per-use SaaS model, or includes temporary use rights, Visual Guard allows you to offer:

User accounts with a limited time span

An API enabling collaboration with a billing system to automatically update the expiry date of each account

A user interface that allows the sales team or helpdesk to modify this information – for example, the treatment of unique cases or errors, taken immediately into effect for the user.

Reliability and Performance

Visual Guard's administration interface has been designed to easily manage large numbers of users and access rights (guides an administrator performing operations and searches, optimizes the response time of the security repository…).

When a SaaS application is in production, the Visual Guard processes that authenticate the user and calculate their access rights is optimized to avoid long wait times (the system does not need to access the security repository each time a user opens a new page, and so avoids performance issues when the number of users and page views increases).

Protection against Security Breaches

Since a SaaS application is accessible via the internet and manages client data, Visual Guard has created a system that is not vulnerable to the most common types of attacks:

Unauthorized access to security data:

Security data is not readable by direct SQL access. Visual Guard requires a secured connection via the SaaS application or via the administration interface to read and modify this data.

Sensitive data like passwords is encrypted.

Denial-of-service: Visual Guard includes protection against attempts to make it unavailable to customers by saturating it with numerous logon requests.

Packet sniffing: Visual Guard includes a protection against the capture of data packets to find passwords or security tokens in transit over the network. A hacker could steal these tokens to make calls to the system as though they were a legitimate user.

SQL injection:
The Visual Guard Administration console contains search fields – for example, to find a user account. It is pre-armed against SQL injections, which consist of inserting parts of SQL statements in the search field, with the goal of consulting confidential information, or illegally changing the security data.

Make or buy?

Timeframe is key: we've seen in this article that security and access control for SaaS applications involve complex functionalities. For an internal project, they require a significant time commitment and skilled developers.
If you are working in a limited timeframe or the required expertise is not available, a ready-to-use access control solution like Visual Guard is your best solution.

Evolution: consult the history and past versions of the solution: Visual Guard follows technical evolutions of the market; new versions are published regularly (see the Visual Guard Update List).

Product and support quality: Visual Guard a stable and well-deployed solution, for which you can consult the reviews of other users.

Longevity: Visual Guard proposes an escrow agreement (a copy of the source code is deposited with a third party who will send it to clients if there is an interruption in service by the provider, Novalys)

Why not combine all these advantages? The Visual Guard team is attentive to their users' needs when choosing how to continually evolve their application with the market. You benefit from the advantages of a standard solution (more stable and complete at a lower cost) while being able to influence future development to better cover your specific needs.